Cisco NetFlow enables tracking of IP flows as they are passed through routers and multilayer switches. An IP flow is a set of IP packets within a specific time slot that share a number of properties, such as the same source address, destination address, type of service, and protocol number. NetFlow information is forwarded to a network data analyzer, network planning tools, RMON applications, or accounting and billing applications. NetFlow allows for network planning, traffic engineering, usage-based network billing, accounting, denial-of-service monitoring capabilities, and application monitoring. One big benefit is that NetFlow provides the necessary data for billing of network usage. The most recent version of NetFlow is NetFlow version 9, which is defined in RFC 3954. The NetFlow protocol itself has been superseded by Internet Protocol Flow Information Export (IPFIX). Based on the NetFlow version 9 implementation, IPFIX is on the IETF standards track with RFCs 7011 and 7015.
As shown in Figure 5-7, NetFlow consists of three major components:
Figure 5-7 NetFlow Components
- NetFlow accounting: Collects IP data flows entering router or switch interfaces and prepares data for export. It enables the accumulation of data on flows with unique characteristics, such as IP addresses, applications, and classes of service.
- Flow collector engines: Capture exported data from multiple routers and filters and aggregate the data according to customer policies and then store this summarized or aggregated data. Examples of collectors are Cisco NetFlow Collector, SolarWinds, and CA NetQoS.
- Network data analyzers: Display a graphical user interface (GUI) and analyze NetFlow data collected from flow collector files. This allows users to complete near-real-time visualization or trending analysis of recorded and aggregated flow data. Users can specify the router and aggregation scheme and the desired time interval.
The benefits of using NetFlow include the following:
- Ability to obtain detailed information with minimal impact to the network devices
- Ability to customize the data captures for each interface
- Ability to include data timestamping across a large number of devices
- Ability to meter network traffic providing data for billing based on network usage
- Ability to detect and mitigate threats
Routers and switches are the network accounting devices that gather the statistics. These devices aggregate data and export the information. Each unidirectional network flow is identified by both source and destination IP addresses and transport layer port numbers. NetFlow can also identify flows based on IP protocol number, type of service, and input interface. NetFlow data records contain the following information:
- Source and destination IP addresses
- Source and destination TCP/UDP ports
- Type of service (ToS)
- Packet and byte counts
- Start and end timestamps
- Input and output interface numbers
- TCP flags and encapsulated protocol (TCP/UDP)
- Routing information (including next-hop address, source and destination autonomous system number, and destination prefix mask)
- Data analyzers